Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Various Investations (inc recurring Virtumonde & Smitfraud)

Started by StripeyUnited , Jan 31 2007 05:07 PM

This topic is locked

#1
StripeyUnited

Posted 31 January 2007 - 05:07 PM

Member

Member
19 posts

Hi there, I hope you will be able to help me.

I use a Dell Inspiron 5100 laptop with Windows XP. I discovered yesterday that I had an infection which my AV couldn't deal with despite repeated clean and delete attempts.

The file is described as a variant of Win32/Adware.Virtumonde.0 and is currently squatting as c:\windows\web\smmcd.dll despite all my attempts to uproot it.

I have been having problems updating XP, as I have found IE non-responsive when I've tried to download the updates. Instead I've used my usual Firefox browser but have been faced with error messages which suggest Microsoft aren't recognising my browser.

The problems I've been having include repeated re-infections with SmitFraud despite it being cleaned by Spybot S&D every time I scan.

I guess that makes me a bit slow on the uptake, but the slow running of my pc, the attempts to open IE when I establish my internet connection all point to the fact that there are things lurking I don't want on my pc.

Here's my HijackThis scan:

Logfile of HijackThis v1.99.1
Scan saved at 22:59:02, on 31/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\Voyager 105 ADSL Modem\dslagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SpywareBot\SpywareBot.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Louise Shepherd\Desktop\VundoFix.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {64DF584C-E78B-B950-F540-9E2B51E3D6EE} - C:\WINDOWS\System32\sgpjgz.dll (file missing)
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1160597149880
O17 - HKLM\System\CCS\Services\Tcpip\..\{2EDD4B14-54F4-4B80-8C79-92BB9796CA01}: NameServer = 80.189.92.2 80.189.94.2
O20 - AppInit_DLLs: C:\WINDOWS\System32\chkntfs.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

#2
Kenny94

Posted 31 January 2007 - 05:19 PM

Member 1K

Member
1,595 posts

Hello StripeyUnited and Welcome to Geeks To Go!

I see you have VundoFix on your desktop. It is likely that you have a variant of the Vundo trojan that hides itself from HijackThis.exe so if we rename HijackThis, the entries should become visible.

Go to the C:\Program Files\HijackThis folder. Right click on the HijackThis.exe file and select "Rename". Rename it geek.exe.

Then run HijackThis again and post a new log please.

Also, please let me know how things are running now and if you encountered any problems while you were following the instructions I posted.

#3
StripeyUnited

Posted 31 January 2007 - 05:37 PM

Member

Topic Starter
Member
19 posts

Thanks for the welcome, Kenny :whistling:

Can't see any difference, but then I'm not trying to do anything much at present.

Assuming I did right - the file didn't have a .exe extension (it's described as an application)...

Here's the new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 23:36:09, on 31/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\Voyager 105 ADSL Modem\dslagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SpywareBot\SpywareBot.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Louise Shepherd\Desktop\VundoFix.exe
C:\Program Files\Hijackthis\Geek.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {64DF584C-E78B-B950-F540-9E2B51E3D6EE} - C:\WINDOWS\System32\sgpjgz.dll (file missing)
O2 - BHO: (no name) - {26599C4B-F166-42AA-BA5A-9CA9559046E9} - C:\WINDOWS\Web\smmcd.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {64DF584C-E78B-B950-F540-9E2B51E3D6EE} - C:\WINDOWS\System32\sgpjgz.dll (file missing)
O2 - BHO: (no name) - {D6F4E955-F451-4A41-9316-AEBC29087750} - C:\WINDOWS\system32\rpaaenxu.dll (file missing)
O2 - BHO: (no name) - {FC151F5C-80A7-4FD2-814D-EAD89725F86D} - C:\Program Files\Common Files\hoxel.dll (file missing)
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1160597149880
O17 - HKLM\System\CCS\Services\Tcpip\..\{2EDD4B14-54F4-4B80-8C79-92BB9796CA01}: NameServer = 80.189.92.2 80.189.94.2
O20 - AppInit_DLLs: C:\WINDOWS\System32\chkntfs.dll
O20 - Winlogon Notify: smmcd - C:\WINDOWS\Web\smmcd.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

Edited by StripeyUnited, 31 January 2007 - 05:41 PM.

#4
Kenny94

Posted 31 January 2007 - 10:09 PM

Member 1K

Member
1,595 posts

Hello StripeyUnited

Please read "ALL" of the instructions before proceeding:

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

Please download VundoFix.exe to your desktop

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Next, Please download SmitfraudFix (by S!Ri) to your Desktop.

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlog...processutil.htm

In your next reply, please include these log(s):

* SmitfraudFix Report
* vundofix.txt
* HijackThis log (new)

Also, please let me know how things are running now and if you encountered any problems while you were following the instructions I posted.

#5
StripeyUnited

Posted 01 February 2007 - 02:39 AM

Member

Topic Starter
Member
19 posts

Hi Kenny

I've had mixed success.

I can't get the SmitfraudFix downloaded. My AV is deleting the file and when I search for it, it's not found anywhere on my computer.

Vundofix has run and I have a new HJT but I couldn't find a vundofix.txt After I rebooted the start-up (from clicking to logon to my ID up to getting the desktop was much faster).

Anyway, here's the post-Vundofix HJT:

Logfile of HijackThis v1.99.1
Scan saved at 08:29:01, on 01/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\Voyager 105 ADSL Modem\dslagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\Geek.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {64DF584C-E78B-B950-F540-9E2B51E3D6EE} - C:\WINDOWS\System32\sgpjgz.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {64DF584C-E78B-B950-F540-9E2B51E3D6EE} - C:\WINDOWS\System32\sgpjgz.dll (file missing)
O2 - BHO: (no name) - {BBC36776-7299-44EF-B958-CED456FE1DFC} - C:\WINDOWS\Web\smmcd.dll (file missing)
O2 - BHO: (no name) - {D6F4E955-F451-4A41-9316-AEBC29087750} - C:\WINDOWS\system32\rpaaenxu.dll (file missing)
O2 - BHO: (no name) - {FC151F5C-80A7-4FD2-814D-EAD89725F86D} - C:\Program Files\Common Files\hoxel.dll (file missing)
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1160597149880
O17 - HKLM\System\CCS\Services\Tcpip\..\{2EDD4B14-54F4-4B80-8C79-92BB9796CA01}: NameServer = 80.189.94.2 80.189.92.2
O20 - AppInit_DLLs: C:\WINDOWS\System32\chkntfs.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

Edited by StripeyUnited, 01 February 2007 - 02:46 AM.

#6
Kenny94

Posted 01 February 2007 - 04:53 AM

Member 1K

Member
1,595 posts

Hello StripeyUnited

but I couldn't find a vundofix.txt

I need to see what vundofix removed. Let's try this... Please navigate to your C:\ drive (double click on My computer and then double click C drive) and locate vundofix.txt if needed use the Windows Search.

Go to Start > Search and under "More advanced search options".
Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders" to help find vundofix.txt and post vundofix.txt.

#7
StripeyUnited

Posted 01 February 2007 - 05:52 AM

Member

Topic Starter
Member
19 posts

Hi Kenny

I'd done a search for the file but it came up with nothing. Now I've followed your instructions I've got the vundofix.txt :whistling:

Here it is!

VundoFix V6.3.5

Checking Java version...

Sun Java not detected
Scan started at 22:42:01 31/01/2007

Listing files found while scanning....

C:\WINDOWS\system32\chhhawrm.exe
C:\WINDOWS\system32\ggcgodoe.dll
C:\WINDOWS\system32\iutgicow.dll
C:\WINDOWS\system32\ivodesbr.dll
C:\WINDOWS\system32\iwfmuxhj.dll
C:\WINDOWS\system32\ixqwfald.dll
C:\WINDOWS\system32\iybteqgr.dll
C:\WINDOWS\system32\nmuivdls.dll
C:\WINDOWS\system32\qepglljv.exe
C:\WINDOWS\system32\rrtmaolf.dll
C:\WINDOWS\system32\shvxfifj.dll
C:\WINDOWS\system32\sjnwyajj.dll
C:\WINDOWS\system32\uiiaeptp.dll
C:\WINDOWS\system32\wtquvabe.dll
C:\WINDOWS\system32\yayhkmdp.dll
C:\WINDOWS\Web\dcmms.bak2
C:\WINDOWS\Web\dcmms.ini
C:\WINDOWS\Web\dcmms.ini2
C:\WINDOWS\Web\dcmms.tmp
C:\WINDOWS\Web\smmcd.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\chhhawrm.exe
C:\WINDOWS\system32\chhhawrm.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\ggcgodoe.dll
C:\WINDOWS\system32\ggcgodoe.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\iutgicow.dll
C:\WINDOWS\system32\iutgicow.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ivodesbr.dll
C:\WINDOWS\system32\ivodesbr.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\iwfmuxhj.dll
C:\WINDOWS\system32\iwfmuxhj.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ixqwfald.dll
C:\WINDOWS\system32\ixqwfald.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\iybteqgr.dll
C:\WINDOWS\system32\iybteqgr.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\nmuivdls.dll
C:\WINDOWS\system32\nmuivdls.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\qepglljv.exe
C:\WINDOWS\system32\qepglljv.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\rrtmaolf.dll
C:\WINDOWS\system32\rrtmaolf.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\shvxfifj.dll
C:\WINDOWS\system32\shvxfifj.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\sjnwyajj.dll
C:\WINDOWS\system32\sjnwyajj.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\uiiaeptp.dll
C:\WINDOWS\system32\uiiaeptp.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\wtquvabe.dll
C:\WINDOWS\system32\wtquvabe.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\yayhkmdp.dll
C:\WINDOWS\system32\yayhkmdp.dll Has been deleted!

Attempting to delete C:\WINDOWS\Web\dcmms.bak2
C:\WINDOWS\Web\dcmms.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\Web\dcmms.ini
C:\WINDOWS\Web\dcmms.ini Has been deleted!

Attempting to delete C:\WINDOWS\Web\dcmms.ini2
C:\WINDOWS\Web\dcmms.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\Web\dcmms.tmp
C:\WINDOWS\Web\dcmms.tmp Has been deleted!

Attempting to delete C:\WINDOWS\Web\smmcd.dll
C:\WINDOWS\Web\smmcd.dll Has been deleted!

Performing Repairs to the registry.
Done!

#8
Kenny94

Posted 01 February 2007 - 06:11 AM

Member 1K

Member
1,595 posts

Hello StripeyUnited

Thanks for the vundofix log.. :blink:

I'm getting something verified so I'll be back with new instructions soon.
Hey we got 2 inches of snow here in SC and more to come.. :whistling:

#9
StripeyUnited

Posted 01 February 2007 - 06:29 AM

Member

Topic Starter
Member
19 posts

Hi Kenny

I just did a spybot scan and this time the smitfraud didn't come up - only 3 cookie trackers (Advertising.com, Avenue A and Clickbank) plus SpywareBOT which I have partially removed. It was always spybot which showed up smitfraud and even using immunize didn't stop it coming back.

I will check back in lots later today now (UK time). Meanwhile - it's bright and fairly clear here. No sign of snow.

Thanks for all your help so far and your clear instructions - even an idiot like me can follow them!

#10
Kenny94

Posted 01 February 2007 - 07:25 AM

Member 1K

Member
1,595 posts

Hello StripeyUnited

NOD32 Antivirus thinks SmitfraudFix is a virus, it's not. Have you updated your Antivirus (NOD32) recently?

Please read "ALL" of the instructions before proceeding:

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.(if present):

R3 - URLSearchHook: (no name) - {64DF584C-E78B-B950-F540-9E2B51E3D6EE} - C:\WINDOWS\System32\sgpjgz.dll (file missing)
O2 - BHO: (no name) - {64DF584C-E78B-B950-F540-9E2B51E3D6EE} - C:\WINDOWS\System32\sgpjgz.dll (file missing)
O2 - BHO: (no name) - {BBC36776-7299-44EF-B958-CED456FE1DFC} - C:\WINDOWS\Web\smmcd.dll (file missing)
O2 - BHO: (no name) - {D6F4E955-F451-4A41-9316-AEBC29087750} - C:\WINDOWS\system32\rpaaenxu.dll (file missing)
O2 - BHO: (no name) - {FC151F5C-80A7-4FD2-814D-EAD89725F86D} - C:\Program Files\Common Files\hoxel.dll (file missing)
O20 - AppInit_DLLs: C:\WINDOWS\System32\chkntfs.dll

Now close all windows other than HiJackThis, then click Fix Checked. Reboot into safe mode.

Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.

Save it to your desktop.
Please double-click Killbox.exe to run it.
Select:
- Delete on Reboot
- then Click on the All Files button.
Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\System32\sgpjgz.dll
C:\WINDOWS\System32\chkntfs.dll
Return to Killbox, go to the File menu, and choose Paste from Clipboard.
Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

Download AVG Anti-Spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program

Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.
Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
On the main screen select the icon "Update" then select the "Update now" link.
- Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Under "Reports"
- Select "Automatically generate report after every scan"
- Un-Select "Only if threats were found"

Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly.

IMPORTANT: Do not open any other windows or programs while AVG Anti-spyware is scanning, it may interfere with the scanning proccess:

Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
If you have any infections you will prompted, then select "Apply all actions"
Next select the "Reports" icon at the top.
Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
Close AVG Anti-Spyware and reboot your system back into Normal Mode.

In your next reply, please include these log(s):

* AVG Anti-Spyware contents
* HijackThis log (new)

Also, please let me know how things are running now and if you encountered any problems while you were following the instructions I posted.

#11
StripeyUnited

Posted 01 February 2007 - 08:41 AM

Member

Topic Starter
Member
19 posts

Hi Kenny

Thanks for the new set of instructions. I won't be able to carry these out until tonight, but I do have some clarification questions I need to ask before I do it. I'm replying from another computer just now.

How do I open my computer in safe mode?

If I open my computer in safe mode, can I still use the internet and download the killbox tool and use any of the other advice which involces clicking links?

Many thanks!

#12
Kenny94

Posted 01 February 2007 - 09:56 AM

Member 1K

Member
1,595 posts

Hello StripeyUnited

How do I open my computer in safe mode?

Sorry I left that part out.. Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

If I open my computer in safe mode, can I still use the internet and download the killbox tool and use any of the other advice which involces clicking links?

Go ahead and download killbox tool in normal mode first, then go ahead and remove the files I mention with Killbox. Then download AVG Anti-Spyware and update AVG. Then run AVG Anti-Spyware in safe mode. Do not forget to Select the "Save report as" so you can post it here to look at it.

#13
StripeyUnited

Posted 01 February 2007 - 06:06 PM

Member

Topic Starter
Member
19 posts

Hi Kenny

I'm back and I've followed your instructions (and many thanks for the extra clarification, it really helped :whistling:

)

And I am just adding here that I do keep my AV updated - I check every single time I go online for updates - although I sometimes have to keep clicking update as it doesn't always want to respond when I first click it.

Here's my report of what I've been doing, first-off:

I did the fixes as instructed on HJT - had to do it twice as it wouldn't do the smmcd.dll file first time out. First time I got an error message came up. Sorry but I didn't manage to copy any of the text.

I ran the killbox in safemode twice - once for each file as I couldn't see that it had got both files the first time. And each time I had the pending file rename operations box come up, and both times I had to reboot manually
I did the AVG stuff all in normal mode - hope that's not going to have caused a problem.

So, here's my latest HJT scan log:

Logfile of HijackThis v1.99.1
Scan saved at 23:56:40, on 01/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\Voyager 105 ADSL Modem\dslagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\Geek.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1160597149880
O17 - HKLM\System\CCS\Services\Tcpip\..\{2EDD4B14-54F4-4B80-8C79-92BB9796CA01}: NameServer = 80.189.94.2 80.189.92.2
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

And here's the AVGas one:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 23:54:09 01/02/2007

+ Scan result:

C:\WINDOWS\em.ocx -> Adware.MediaMotor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1202660629-492894223-854245398-1004\Software\DNS -> Adware.Shorty : Cleaned with backup (quarantined).
C:\WINDOWS\system32\lvnrchuv.dll -> Adware.Winfixer : Cleaned with backup (quarantined).
C:\Program Files\MSN Gaming Zone\hodyv.html -> Hijacker.Small.jf : Cleaned with backup (quarantined).
C:\Program Files\Windows Media Player\kygexavit.html -> Hijacker.Small.jf : Cleaned with backup (quarantined).
C:\VundoFix Backups\ggcgodoe.dll.bad -> Logger.VBStat.e : Cleaned with backup (quarantined).
C:\VundoFix Backups\iutgicow.dll.bad -> Logger.VBStat.e : Cleaned with backup (quarantined).
C:\VundoFix Backups\ivodesbr.dll.bad -> Logger.VBStat.e : Cleaned with backup (quarantined).
C:\VundoFix Backups\iwfmuxhj.dll.bad -> Logger.VBStat.e : Cleaned with backup (quarantined).
C:\VundoFix Backups\ixqwfald.dll.bad -> Logger.VBStat.e : Cleaned with backup (quarantined).
C:\VundoFix Backups\iybteqgr.dll.bad -> Logger.VBStat.e : Cleaned with backup (quarantined).
C:\VundoFix Backups\nmuivdls.dll.bad -> Logger.VBStat.e : Cleaned with backup (quarantined).
C:\VundoFix Backups\rrtmaolf.dll.bad -> Logger.VBStat.e : Cleaned with backup (quarantined).
C:\VundoFix Backups\shvxfifj.dll.bad -> Logger.VBStat.e : Cleaned with backup (quarantined).
C:\VundoFix Backups\sjnwyajj.dll.bad -> Logger.VBStat.e : Cleaned with backup (quarantined).
C:\VundoFix Backups\uiiaeptp.dll.bad -> Logger.VBStat.e : Cleaned with backup (quarantined).
C:\VundoFix Backups\wtquvabe.dll.bad -> Logger.VBStat.e : Cleaned with backup (quarantined).
C:\VundoFix Backups\yayhkmdp.dll.bad -> Logger.VBStat.e : Cleaned with backup (quarantined).
C:\WINDOWS\system32\acjdfvcx.dll -> Logger.VBStat.e : Cleaned with backup (quarantined).
C:\VundoFix Backups\qepglljv.exe.bad -> Not-A-Virus.Downloader.Win32.WinFixer.i : Cleaned with backup (quarantined).
C:\VundoFix Backups\chhhawrm.exe.bad -> Not-A-Virus.Downloader.Win32.WinFixer.r : Cleaned with backup (quarantined).
C:\Documents and Settings\Louise Shepherd\Cookies\louise_shepherd@2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Louise Shepherd\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Louise Shepherd\Cookies\[email protected][2].txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.33:C:\Documents and Settings\Louise Shepherd\Application Data\Mozilla\Firefox\Profiles\tcxme86w.default\cookies.txt -> TrackingCookie.Adtech : Cleaned.
:mozilla.34:C:\Documents and Settings\Louise Shepherd\Application Data\Mozilla\Firefox\Profiles\tcxme86w.default\cookies.txt -> TrackingCookie.Adtech : Cleaned.
:mozilla.18:C:\Documents and Settings\Louise Shepherd\Application Data\Mozilla\Firefox\Profiles\tcxme86w.default\cookies.txt -> TrackingCookie.Co : Cleaned.
:mozilla.90:C:\Documents and Settings\Louise Shepherd\Application Data\Mozilla\Firefox\Profiles\tcxme86w.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.29:C:\Documents and Settings\Louise Shepherd\Application Data\Mozilla\Firefox\Profiles\tcxme86w.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.30:C:\Documents and Settings\Louise Shepherd\Application Data\Mozilla\Firefox\Profiles\tcxme86w.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.31:C:\Documents and Settings\Louise Shepherd\Application Data\Mozilla\Firefox\Profiles\tcxme86w.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.32:C:\Documents and Settings\Louise Shepherd\Application Data\Mozilla\Firefox\Profiles\tcxme86w.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.80:C:\Documents and Settings\Louise Shepherd\Application Data\Mozilla\Firefox\Profiles\tcxme86w.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.81:C:\Documents and Settings\Louise Shepherd\Application Data\Mozilla\Firefox\Profiles\tcxme86w.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.82:C:\Documents and Settings\Louise Shepherd\Application Data\Mozilla\Firefox\Profiles\tcxme86w.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.83:C:\Documents and Settings\Louise Shepherd\Application Data\Mozilla\Firefox\Profiles\tcxme86w.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.

::Report end

Edited by StripeyUnited, 01 February 2007 - 06:10 PM.

#14
Kenny94

Posted 02 February 2007 - 01:24 AM

Member 1K

Member
1,595 posts

Hello StripeyUnited :blink:

Nice Job... :whistling:

Also, your logs look good as well. How's your computer running?

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

Your Java is probably out of date since you had vundo. Older versions have vulnerabilities that malware can use to infect your system.

Please follow these steps to remove older version Java components and update.

Updating Java and Clearing Cache

Go to Start > Control Panel double-click on the Java Icon (coffee cup) in the Control Panel.
It will say "Java Plug-in" under the icon.
Please find the update button or tab in the Java Control Panel. Update your Java then reboot.
If you are unable to update you can manually update by going here:
- http://www.java.com/en/download/manual.jsp
After the reboot, go back into the Control Panel and double-click the Java Icon.
Under Temporary Internet Files, click the Delete Files button.
There are three options in the window to clear the cache - Leave ALL 3 CheckedDownloaded Applets
Downloaded Applications
Other Files
Click OK on Delete Temporary Files Window
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
Click OK to leave the Java Control Panel.

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Also, please let me know how things are running now and if you encountered any problems while you were following the instructions I posted.

#15
StripeyUnited

Posted 02 February 2007 - 02:33 AM

Member

Topic Starter
Member
19 posts

Morning (my time at least) Kenny :whistling:

Glad things are looking good from what I did yesterday.

I won't be able to do all of this until this evening, my time, so in about 11 hours time.

I have some questions in the meantime to help me carry out these instructions.

1. Java Icon - there is no Java Icon when I click in control panel. No mention of Java in any shape or form.

2. I don't understand quite what I'm supposed to do in my browser either. When you say click Firefox at the top and choose select all, I can't see anywhere where I can do that, or what it actually means.

Sorry to have more dumb questions, but hopefully I can avoid making a mess of things if I don't do something stupid from not asking the questions!

Thanks for your efforts so far - and the computer does seem to be responding more quickly, despite the amount of stuff now on the desktop.